Table of Contents

← .:modules_reports | ^ .:start | Documentation ^ .:modules_rec | →

Modules - Certificates [crt]

CRT module was designed to handle various certificate authority implementations via specific drivers. Currently, there is one driver implemented - the CAW driver that handles the communication with CAW certificate authority (bundled in the module).

On Windows, using diacritics in certificate/CSR DNs is currently not supported due to bug #8317 in OpenSSL. This affects CRT module with CAW Windows driver. IdM handles this by stripping diacritics from certain strings before passing them to the CAW. On Linux, diacritics works fine.

Operations with certificates

Architecture

Module consists of those basic parts:

 CRT module architecture

Read more

Info about versions

Drivers

Admin tutorials

Devel guide

Download secret

Secret to any certificate can be downloaded by user with permissions CERTIFICATE_READ and CERTIFICATE_DOWNLOADSECRET. Secret is encrypted by RSA public key stored in configuration item idm.sec.crt.secret.pub, length is arbitrary (2048 and more is recomended). Secret key is stored in external app and is used to decrypt secret. Key pair can be generated by these commands (you can change 2048 to 4096, 8192…)

openssl genrsa -out private.key 2048
openssl rsa -in private.key -outform PEM -pubout -out public.key

Public key to be stored in IdM configuration is in file public.key, save it without lines starting with —– and joined to one line (without spaces), private key to be used by external app for decrypting secret is in file private.key.

URL for secret download is /api/v1/crt/certificates/{certificateId}/download-secret, where certificateId is UUID of certificate in IdM, response is JSON with this structure:

{
  "certificate_id": "certificateId from URL",
  "secret": "Base64 encoded RSA encrypted certificate secret by public key in idm.sec.crt.secret.pub"
}